Skip to content

Active Directory Protection

Guard your workforce where identity actually lives.

Active Directory Protection blocks weak and breached passwords the instant they're set, audits every account continuously, and drives every risk to closure, inside standard Windows password workflows, with no plaintext leaving the domain controller.

Request a Demo Get a Free Assessment
NIST 800-63B ALIGNED·SCOPED BY OU / GROUP / USER·NO PLAINTEXT LEAVES THE DC
AD_PROTECTION · PASSWORD_FILTERDC-01
SET_PASSWORDa.reyesBlocked
REASONFOUND IN LEAK DATASET
SET_PASSWORDm.osmanBlocked
REASONCONTAINS USERNAME
SET_PASSWORDj.kellerAccepted
FINGERPRINTS ONLY · NO PLAINTEXT STOREDPOLICY NIST_800-63B

Real-time enforcement

Policy enforced in real time, at the moment of change.

A password change is blocked the instant it fails any check:

Found in a leak dataset

Matched against billions of breached records: cloud, on-prem, or air-gapped.

Matches a blacklist rule

Forbidden words, banned terms, or predictable patterns.

Reuse detected

A previous or previously-blocked password can't be set again.

Violates NIST-aligned policy

Fails the password policy that applies to that user or group.

Contains personal identity data

Username, name, or email embedded in the password.

The moment of change

What happens in the seconds a password is set.

The whole exchange happens inside standard Windows password workflows: the filter intercepts the change on the domain controller, every check runs, and the user gets an instant verdict.

Blocked means blocked: the risky password is never set. And a confirmed risk stays open until the forced reset is verified clean: genuinely different, not itself compromised, and within policy.

Granular policy

Granular, not one-size-fits-all.

Static complexity rules give way to policies you scope precisely to who and where they apply. Set different rules at three levels so the right policy reaches the right people without blanket friction.

Organizational unit

Apply a baseline policy across an entire OU in one move.

Group

Tighten rules for privileged or sensitive groups without touching everyone else.

User

Set exceptions or stricter requirements down to the individual account.

Forbidden words

Forbidden words and blacklists, blocked in real time.

Company-specific terms

Company and brand names, product names, seasons, months, and local or industry words.

Personal identity data

Username, full/first/last name, and email address, denied anywhere inside the password.

Predictable structure

Dictionary words, repeated characters, consecutive numbers, and keyboard sequences.

Leak & similarity matching

Denies breached passwords plus normalized and near-match variants within a similarity distance.

Continuous auditing

Every password watched, continuously, not just at reset.

ALWAYS-ON

Always-on analysis

Existing and newly changed passwords evaluated continuously; exposure caught whenever it occurs.

SCREENING

Breached-password screening

Matched against cloud, on-premise, and air-gapped leak databases, with scheduled or real-time updates.

OVER TIME

Exposure tracked over time

Accounts re-checked as new leaks surface; every finding followed from detected to remediated.

STRUCTURAL

Structural weaknesses

Surfaces blank passwords, one password shared across many accounts, and old or weakly-stored formats.

Remediation to closure

The actions PassVision takes: detection to closure.

01

Force password reset

Automatically require the affected user to reset a compromised or non-compliant password.

02

Block the change

Reject a failing password outright at the point of change; the risky one is never set.

03

Notify the user

Alert the affected user directly, with the reason and the required action.

04

Alert an admin

Raise a context-rich alert to security, forwarded to your SIEM with full detail.

Reset verification.

Every forced reset is verified: PassVision confirms the new password is genuinely different, is not itself compromised, and meets policy before access continues. Proof of enforcement, not just a request.

Secure by design

Secure by design.

Every check runs on irreversible fingerprints: no plaintext password is stored or processed by the AD screening path. Enforcement lives inside your directory; no plaintext leaves the environment.

IRREVERSIBLE FINGERPRINTS·NO PLAINTEXT ON THE AD PATH·ENFORCEMENT INSIDE YOUR DIRECTORY
See our Trust & Security model →

Common questions

Active Directory Protection, answered.

Is PassVision aligned with NIST 800-63B?

Yes. PassVision's policy engine is aligned with NIST 800-63B (blocking known-compromised passwords, removing arbitrary composition rules, and enforcing context-aware policy) and produces audit-ready evidence.

Can PassVision run on-premises or air-gapped?

Yes. PassVision is self-hosted on-premises or in your own cloud, never multi-tenant SaaS. Active Directory Protection and the breached-password database can run fully air-gapped. Web Credential Verification reaches live external targets, so it requires outbound connectivity.

See all frequently asked questions →

The weak password never exists. The exposed one never hides.

Block it at the moment of change. Track every account continuously. Drive every risk to verified closure.

Request a Demo Get a Free Assessment